23.7 “Restless Roadrunner” Series¶
For more than 8 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
23.7, nicknamed “Restless Roadrunner”, features numerous MVC/API conversions including the new OpenVPN “instances” configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2 plus much more.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.7/
South America: http://mirror.ueb.edu.ec/opnsense/releases/23.7/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.7/
Full mirror list: https://opnsense.org/download/
23.7.5 (September 26, 2023)¶
Today introduces a change in MTU handling for parent interfaces mostly noticed by PPPoE use where the respective MTU values need to fit the parent plus the additional header of the VLAN or PPPoE. Should the MTU already be misconfigured to a smaller value it will be used as configured so check your configuration and clear the MTU value if you want the system to decide about the effective parent MTU size.
Another change in far gateway handling is also included which prevents a monitoring failure if that particular gateway was not being designated as default during boot which made the routing table miss the essential interface route and monitoring would always report it as down. Now the interface route is ensured but not only when applying the default gateway so that it works all the time.
Also fixed was the problematic migration of the Unbound interfaces settings which now clears the possibly unknown interfaces in order to proceed and have Unbound up and running post update which was not the case for some users previously.
Other reliability improvements and third party security updates are included as well. We also continue our effort to clean up the interface handling code and audit the MVC model files for consistency. A missing change for out of the box DS-Lite support is also being tested on the development version now and will likely hit in 23.7.6.
Here are the full patch notes:
system: pluginctl: allow -f mode to drop config properties
system: switch to /usr/sbin/nologin as authoritative command location
system: remove remaining spurious ifconfig data pass to Gateways class
system: fix data cleansing issue in “column_count” and “sequence” values on dashboard
system: start gateway monitors after firewall rules are in place (contributed by Daggolin)
system: refactor far gateway handling out of default route handling
interfaces: use interfaces_restart_by_device() where appropriate
interfaces: allow get_interface_ipv6() to return in all three IPv6 variants
interfaces: add GRE/GIF/bridge/wlan return values
interfaces: signal wlan device creation success/failure
interfaces: update link functions for GIF/GRE
interfaces: remove the ancient OpenVPN-tap-on-a-bridge magic on IPv4 reload
interfaces: update read-only bridge member code
interfaces: redirect after successful interface add
interfaces: add interface return feature for use on bridges/assignment page
interfaces: VIP model style update
interfaces: implement interface_configure_mtu()
firewall: fix cleanup issue when renaming an alias
dhcp: make dhcrelay code use the Gateways class
ipsec: add local_port and remote_port to connections (contributed by Monviech)
openvpn: force instance interface down before handing it over to daemon
openvpn: add missing up and down scripts to instances (contributed by Daggolin)
unbound: properly set a default value for private address configuration
unbound: allow disabled interfaces in interface field
unbound: migrate active/outgoing interfaces discarding invalid values
unbound: UX improvements on several pages
unbound: update model
mvc: update diagnostics models
mvc: add isLinkLocal()
interfaces: allow clean MVC access to primary IPv4 address (pluginctl -4 mode)
plugins: os-upnp replaces calls to obsolete get_interface_ip()
plugins: os-rfc2136 replaces calls to obsolete get_interface_ip[v6]()
plugins: os-sunnyvalley 1.3 changes repository URL (contributed by Sunnyvalley)
plugins: os-tinc adds missing subnet-down script (contributed by andrewhotlab)
ports: curl 8.3.0 [1]
ports: nss 3.93 [2]
ports: openssl 1.1.1w [3]
ports: phalcon 5.3.1 [4]
ports: phpseclib 3.0.23 [5]
ports: sqlite 3.43.1 [6]
ports: suricata 6.0.14 [7]
23.7.4 (September 14, 2023)¶
The usual amount of improvements go out today with FreeBSD security advisories on top. The new Python version was also picked up.
Note that the WireGuard plugin improvement effort is still going on and this time we refreshed the dashboard widget as that was being requested a number of times. The Polish language has been added to the GUI as well.
Here are the full patch notes:
system: correctly set RFC 5424 on remote TLS system logging
system: remove hasGateways() and write DHCP router option unconditionally
system: avoid plugin system for gateways monitor status fetch
system: remove passing unused ifconfig data to Gateways class on static pages
system: remove passing unused ifconfig data on gateway monitor status fetch
system: remove the unused “alert interval” option from the gateway configuration
interfaces: calculate_ipv6_delegation_length() should take advanced and custom dhcp6c into account
interfaces: teach ifctl to dump all files and its data for an interface
interfaces: remove dead link/hint in GIF table
interfaces: avoid duplicating $vfaces array
interfaces: introduce interfaces_restart_by_device()
firewall: remove old __empty__ options trick from shaper model
firewall: update models for clarity
firmware: update model for clarity
ipsec: omit conditional authentication properties when not applicable on connections
ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)
ipsec: allow the use of eap_id = %any in instances
openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)
openvpn: add CARP VHID tracking for client instances
openvpn: add tun-mtu/fragment/mssfix combo for instances
openvpn: add “route-gateway” advanced option to CSO
openvpn: use new File::file_put_contents() wrapper for instances
openvpn: updated model and clarified “auth” default option
mvc: remove “non-functional” hints from form input elements
mvc: uppercase default label in BaseListField is more likely
ui: add bytes format to standard formatters list
plugins: os-ddclient 1.16 [1]
plugins: os-frr 1.36 [2]
plugins: os-wireguard 2.1 [3]
plugins: os-tinc 1.7 adds support for “StrictSubnets” variable (contributed by andrewhotlab)
lang: update translations and add Polish
src: bring back netmap tun(4) ethernet header emulation (contributed by Sunny Valley Networks)
src: axgbe: gracefully handle i2c bus failures
src: bnxt: do not restart on VLAN changes
src: ice: do not restart on VLAN changes
src: net: do not overwrite VLAN PCP
src: net: remove VLAN metadata on PCP / VLAN encapsulation
src: if_vlan: always default to 802.1
src: iflib: fix panic during driver reload stress test
src: iflib: fix white space and reduce some line lengths
src: ixgbe: define IXGBE_LE32_TO_CPUS
src: ixgbe: check for fw_recovery
src: net80211: fail for unicast traffic without unicast key [4]
src: pcib: allocate the memory BAR with the MSI-X table [5]
ports: php 8.2.10 [6]
ports: python 3.9.18 [7]
ports: unbound 1.18.0 [8]
23.7.3 (August 30, 2023)¶
Recently we improved the workflow for bringing language updates to the release so here we are with an updated translation package including added support for Korean. Thanks a lot to all contributors for keeping this going strong!
If you would like to help with translations you can sign up via:
https://poeditor.com/projects/view?id=179921
Of note is also the largely rewritten backend for the WireGuard kernel module plugin which offers separate services for each instance much like OpenVPN offers it. The requirement of the wireguard-tools and bash packages were removed. This also means the plugin will be moved to the core for 24.1 along with Wireguard go plugin being removed completely since on FreeBSD 13.2 no external package is needed to enjoy WireGuard and the permanent existence of a kernel module renders the Go fallback defunct through wireguard-tools/wg-quick implementation quirks.
Here are the full patch notes:
system: fix missing config save when RRD data is supplied during backup import
system: defer config reload to SIGHUP in gateway watcher
system: handle “force_down” state correctly in gateway watcher
system: make Gateways class argument optional
interfaces: tweak UX of interface settings page
interfaces: further improve PPP MTU handling
interfaces: remove workaround to re-reload the routing during bootup for edge case that no longer exist
firewall: fix group priority handling regression
firewall: improve filter functionality to combine multiple network clauses in states page
dhcp: map interfaces to interface names instead of devices
dhcp: fix iaid_duid parsing in IPv6 lease page
intrusion detection: support “bypass” keyword in user-defined rules (contributed by Monviech)
openvpn: fix mismatch issue when pinning a CSO to a specific instance
openvpn: add advanced option for optional CA selection
unbound: fix concurrent session closing the handle while still writing data in Python module
web proxy: remove long deprecated “dns_v4_first” setting from GUI
mvc: extend PortField to optionally allow port type aliases
lang: update all languages and add Korean
plugins: os-firewall 1.4 adds port alias support
plugins: os-frr 1.35 [1]
plugins: os-wireguard 2.0 [2]
ports: filterlog fix to prevent crash on default rule number -1
23.7.2 (August 23, 2023)¶
Assorted improvements are being shipped with this release. Of special note is the proper monitoring of down gateways which allows the new gateway watcher to see the gateway come back online when plugging a cable. A Wazuh agent plugin was added and the ddclient plugin received new protocol support including AWS Route53 amongst others.
Here are the full patch notes:
system: improve monitoring of down gateways
system: clear all /var/run directories on bootup
system: put lock()/unlock() back for legacy plugin compatibility
interfaces: fix special device name chars used in shell variables
interfaces: prevent IPv6 mismatches when using compressed format in VIP
interfaces: remove descriptive name from newwanip logging
interfaces: typo in MRU handling for PPP
interfaces: improve PPPoE MTU handling
interfaces: switch rtsold to -A mode
firewall: missing interface group registration on group creation
dhcp: improve UX of the new MVC lease pages
firmware: remove defunct mirror “Dept. of CSE, Yuan Ze University”
intrusion detection: fix events originating from “int^” due to IPS mode use
ipsec: add colon to supported character list for pre-shared key IDs
ipsec: reqid should not stick when copying a phase 1
monit: fix empty timeout value (contributed by Michael Muenz)
openvpn: properly map user groups for authentication
openvpn: bring instances into server field
openvpn: fix separator for redirect-gateway attribute in instances and CSO
unbound: fixed configuration when custom blocks are used (contributed by Evgeny Grin)
plugins: os-ddclient 1.15 [1]
plugins: os-iperf adds rubygem-rexml dependency (contributed by Hannah Kiekens)
plugins: os-relayd 2.7 now supports newer upstream release of relayd
plugins: os-wazuh-agent 1.0 [2]
src: remove if_wg from kernel modules to unbreak current wireguard-go use
src: axgbe: LED control for A30 platform
src: gif: revert in{,6}_gif_output() misalignment handling
src: igc: sync srrctl buffer sizing with e1000
src: ip_output: ensure that mbufs are mapped if ipsec is enabled
src: ixgbe: warn once for unsupported SFPs
src: ixgbe: add support for 82599 LS
src: ixl: add link state polling
src: ixl: port ice’s atomic API to ixl
src: rss: set pin_default_swi to 0 by default
src: rtsol: introduce an ‘always’ script
ports: krb5 1.21.2 [3]
ports: openldap 2.6.6 [4]
ports: openvpn 2.6.6 [5]
ports: php 8.2.9 [6]
ports: phalcon 5.3.0 [7]
ports: phpseclib 3.0.21 [8]
ports: py-dnspython 2.4.2
23.7.1 (August 08, 2023)¶
23.7 looks pretty good so far but no reason not to make it better. The MVC changes for DHCP, firewall groups, OpenVPN and Unbound receive several required fixes and the latest FreeBSD security advisories were added as well.
Here are the full patch notes:
system: close boot file after probing to avoid lock inheritance
system: fix lock() inheriting the lock state
system: give more context in process kill error case since we operate PID numbers only
firewall: groups were not correctly parsed for menu post-migration
firewall: hide row command buttons for internal groups
firewall: add “ipv6-icmp” to protocol list in shaper
firewall: fix PHP warnings on the rules pages
dhcp: check if manufacturer exists for IPv4 lease page to prevent error
dhcp: use base16 for iaid_duid decode for IPv6 lease page to prevent error
dhcp: fix validation for static entry requirement
firmware: revoke 23.1 fingerprint
network time: support pool directive and maxclock (contributed by Kevin Fason)
openvpn: fix static key delete
openvpn: fix “mode” typo and push auth “digest” into export config
openvpn: fix race condition when using CRLs in instances
openvpn: remove arbitrary upper bounds on some integer values in instances
unbound: migration of empty nodes failed from 23.1.11 to 23.7
unbound: fix regression when disabling first domain override
mvc: fix empty item selection issue in BaseListField
plugins: os-ddclient 1.14 [1]
plugins: os-acme-client 3.19 [2]
src: bhyve: fully reset the fwctl state machine if the guest requests a reset [3]
src: frag6: avoid a possible integer overflow in fragment handling [4]
src: amdtemp: Fix missing 49 degree offset on current EPYC CPUs
src: libpfctl: ensure the initial allocation is large enough
src: pf: handle multiple IPv6 fragment headers
ports: curl 8.2.1 [5]
ports: nss 3.92 [6]
ports: openssl 1.1.1v [7]
ports: perl 5.34.1 [8]
ports: py-dnspython 2.4.1
ports: strongswan 5.9.11 [9]
ports: syslog-ng 4.3.1 [10]
A hotfix release was issued as 23.7.1_3:
firewall: do not clone “associated-rule-id”
network time: fix “Soliciting pool server” regression (contributed by Allan Que)
dhcp: fix IPv4 lease removal
23.7 (July 31, 2023)¶
For more than 8 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
23.7, nicknamed “Restless Roadrunner”, features numerous MVC/API conversions including the new OpenVPN “instances” configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2 plus much more.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.7/
South America: http://mirror.ueb.edu.ec/opnsense/releases/23.7/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.7/
Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 23.1.11:
system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect
system: fix assorted PHP 8.2 deprecation notes
system: fix assorted permission-after-write problems
system: introduce a gateway watcher service and fix issue with unhandled “loss” trigger when “delay” is also reported
system: enabled web GUI compression (contributed by kulikov-a)
system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses
system: allow “.” DNS search domain override
system: on boot let template generation wait for configd socket for up to 10 seconds
system: do not allow state modification on GET for power off and reboot actions
system: better validation and escaping for cron commands
system: better validation for logging user input
system: improve configuration import when interfaces or console settings do not match
system: name unknown tunables as “environment” as they could still be supported by e.g. the boot loader
system: sanitize $act parameter in trust pages
system: add severity filter in system log widget (contributed by kulikov-a)
system: mute openssl errors pushed to stderr
system: add opnsense-crypt utility to encrypt/decrypt a config.xml
system: call opnsense-crypt from opnsense-import to deal with encrypted imports
interfaces: extend/modify IPv6 primary address behaviour
interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)
interfaces: introduce a lock and DAD timer into newwanip for IPv6
interfaces: rewrite LAGG pages via MVC/API
interfaces: allow manual protocol selection for VLANs
interfaces: remove null_service toggle as empty service name in PPPoE works fine
interfaces: on forceful IPv6 reload do not lose the event handling
interfaces: allow primary address function to emit device used
firewall: move all automatic rules for interface connectivity to priority 1
firewall: rewrote group handling using MVC/API
firewall: clean up AliasField to use new getStaticChildren()
firewall: “kill states in selection” button was hidden when selecting only a rule for state search
firewall: cleanup port forward page and only show the associated filter rule for this entry
captive portal: safeguard template overlay distribution
dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API
dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)
dhcp: align router advertisements VIP code and exclude /128
dhcp: allow “.” for DNSSL in router advertisements
dhcp: print interface identifier and underlying device in “found no suitable address” warnings
firmware: opnsense-version: remove obsolete “-f” option stub
firmware: properly escape crash reports shown
firmware: fix a faulty JSON construction during partial upgrade check
firmware: fetch bogons/changelogs from amd64 ABI only
ipsec: add missing config section for HA sync
ipsec: add RADIUS server selection for “Connections” when RADIUS is not defined in legacy tunnel configuration
ipsec: only write /var/db/ipsecpinghosts if not empty
ipsec: check IPsec config exists before use (contributed by agh1467)
ipsec: fix RSA key pair generation with size other than 2048
ipsec: deprecating tunnel configuration in favour of new connections GUI
ipsec: clean up SPDField and VTIField types to use new getStaticChildren()
ipsec: add passthrough networks when specified to prevent overlapping “connections” missing them
monit: fix alert script includes
openvpn: rewrote OpenVPN configuration as “Instances” using MVC/API available as a separate configuration option [2]
openvpn: rewrote client specific overrides using MVC/API
unbound: rewrote general settings and ACL handling using MVC/API
unbound: add forward-tcp-upstream in advanced settings
unbound: move unbound-blocklists.conf to configuration location
unbound: add database import/export functions for when DuckDB version changes on upgrades
unbound: add cache-max-negative-ttl setting (contributed by hp197)
unbound: fix upgrade migration when database is not enabled
unbound: minor endpoint cleanups for DNS reporting page
wizard: restrict to validating only IPv4 addresses
backend: minor regression in deeper nested command structures in configd
mvc: fill missing keys when sorting in searchRecordsetBase()
mvc: properly support multi clause search phrases
mvc: allow legacy services to hook into ApiMutableServiceController
mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng
mvc: add generic static record definition for ArrayField
ui: introduce collapsible table headers for MVC forms
plugins: os-acme-client 3.18 [3]
plugins: os-bind 1.27 [4]
plugins: os-dnscrypt-proxy 1.14 [5]
plugins: os-dyndns removed due to unmaintained code base
plugins: os-frr 1.34 [6]
plugins: os-firewall 1.3 allows floating rules without interface set (contributed by Michael Muenz)
plugins: os-telegraf 1.12.8 [7]
plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL
plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL
src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode
src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled
src: ipsec: add PMTUD support
src: FreeBSD 13.2-RELEASE [8]
ports: krb 1.21.1 [9]
ports: nss 3.91 [10]
ports: phalcon 5.2.3 [11]
ports: php 8.2.8 [12]
ports: py-duckdb 0.8.1
ports: py-vici 5.9.11
ports: sudo 1.9.14p3 [13]
ports: suricata now enables Netmap V14 API
Migration notes, known issues and limitations:
The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups – especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.
Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility “monitor” still exists but is only provided for compatibility reasons with existing user scripts.
IPsec “tunnel settings” GUI is now deprecated and manual migration to the “connections” GUI is recommended. An appropriate EoL announcement will be made next year.
The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.
The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.
The public key for the 23.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu90d9OlhEEqfPTRC5tVp
# XK1KAtvzKPVf2jvmTtWgFRFCB3fuYQcO7oNefXJoK0LaHNQgiOsBTvepVMicl2aI
# zrehgdbljjNFmp6KzEM55x05zOfZV8Gi8AEaJzEbb3rkWLkiXHnANfhHGvtHOrGr
# Hct84NMCcfCZZerwaQMqi+SAjgUzA+asmhAvjN0fbdH2SLx/ZMNzDcyPRFGtGiC7
# RQCzgCGz39ppJP4qordzRSy5YiwCxNe/SL/4ZG04eMVti47BPTCtioBzuASHqALJ
# BVOFzZpr1WZ89PT/T5W6xYzoyWemOyv9Rh+rhaTAhnq+OO4yudaytpPCAtXBULr/
# VOlDOX//qaZR8qbQOC9y9kIETH8Iivis5tonBAQmYPIJiqcxfjM4/R7yP2Q7mEsr
# PLNyP6HNe77JGoW1axNZlB/OL1XUI3r+Kksc2woIqTQ5sq95tHbddNqGIDg4cEOX
# FM5Y7tdvVEwl/nutaAzP07sqEyF8uNScLGsQwpBxHwV/qGGc+PbGqmbmWg3+Kt+e
# UeNcMvrgayhRt+lpVCAorVVjUTp0Y2+1x+V/IpukOaS2oldPIF0iXLZsQ90KYP3X
# QtmuxbiC2Em+eGHB6nSg1UZgUEaAb3xP1fpuLbi9McoUPxMXxVdfihSfSfUFXJTH
# SmqdO1BdG7VSwiQq9Ekbu5UCAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
# SHA256 (OPNsense-23.7-dvd-amd64.iso.bz2) = bf67374d04fb00a29d80f9870ac86491b0a87d5dd386c2bd97def0691547e263
# SHA256 (OPNsense-23.7-nano-amd64.img.bz2) = 4adbbd69d0ce1766395555475ea29713f9043735a0c9067206d9945cb626200a
# SHA256 (OPNsense-23.7-serial-amd64.img.bz2) = 03c774f53520414c73cdcaa4fe3b34c4165395963bef74c533c3878a07b80138
# SHA256 (OPNsense-23.7-vga-amd64.img.bz2) = 8a235d2cba717b9b2ea4d5588028c087adc6ff472ae8efd381a26a9640298c67
23.7.r3 (July 26, 2023)¶
Quick release candidate update. Last one. Promise.
Still on track for the final release on July 31.
Here are the full patch notes:
interfaces: on forceful IPv6 reload do not lose the event handling
interfaces: allow primary address function to emit device used
dhcp: print interface identifier and underlying device in “found no suitable address” warnings
wizard: restrict to validating only IPv4 addresses
Stay safe, Your OPNsense team
23.7.r2 (July 24, 2023)¶
Quick release candidate update. May or may not be the last one this week depending on the feedback we will receive. So far thanks to all the brave testers!
Still on track for the final release on July 31.
Here are the full patch notes:
system: mute openssl errors pushed to stderr
system: add opnsense-crypt utility to encrypt/decrypt a config.xml
system: call opnsense-crypt from opnsense-import to deal with encrypted imports
interfaces: rewrite LAGG pages via MVC/API
interfaces: allow manual protocol selection for VLANs
interfaces: remove null_service toggle as empty service name in PPPoE works fine
monit: fix alert script includes
ipsec: add passthrough networks when specified to prevent overlapping “connections” missing them
unbound: fix upgrade migration when database is not enabled
unbound: minor endpoint cleanups for DNS reporting page
firmware: fix a faulty JSON construction during partial upgrade check
ports: openssh 9.3p2 [1]
23.7.r1 (July 20, 2023)¶
For more than 8 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.7/
South America: http://mirror.ueb.edu.ec/opnsense/releases/23.7/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.7/
Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 23.1.11:
system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect
system: fix assorted PHP 8.2 deprecation notes
system: fix assorted permission-after-write problems
system: introduce a gateway watcher service and fix issue with unhandled “loss” trigger when “delay” is also reported
system: enabled web GUI compression (contributed by kulikov-a)
system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses
system: allow “.” DNS search domain override
system: on boot let template generation wait for configd socket for up to 10 seconds
system: do not allow state modification on GET for power off and reboot actions
system: better validation and escaping for cron commands
system: better validation for logging user input
system: improve configuration import when interfaces or console settings do not match
system: name unknown tunables as “environment” as they could still be supported by e.g. the boot loader
system: sanitize $act parameter in trust pages
system: add severity filter in system log widget (contributed by kulikov-a)
interfaces: extend/modify IPv6 primary address behaviour
interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)
interfaces: introduce a lock and DAD timer into newwanip for IPv6
firewall: move all automatic rules for interface connectivity to priority 1
firewall: rewrote group handling using MVC/API
firewall: clean up AliasField to use new getStaticChildren()
firewall: “kill states in selection” button was hidden when selecting only a rule for state search
firewall: cleanup port forward page and only show the associated filter rule for this entry
captive portal: safeguard template overlay distribution
dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API
dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)
dhcp: align router advertisements VIP code and exclude /128
dhcp: allow “.” for DNSSL in router advertisements
firmware: opnsense-version: remove obsolete “-f” option stub
firmware: properly escape crash reports shown
ipsec: add missing config section for HA sync
ipsec: add RADIUS server selection for “Connections” when RADIUS is not defined in legacy tunnel configuration
ipsec: only write /var/db/ipsecpinghosts if not empty
ipsec: check IPsec config exists before use (contributed by agh1467)
ipsec: fix RSA key pair generation with size other than 2048
ipsec: deprecating tunnel configuration in favour of new connections GUI
ipsec: clean up SPDField and VTIField types to use new getStaticChildren()
openvpn: rewrote OpenVPN configuration as “Instances” using MVC/API available as a separate configuration option [2]
openvpn: rewrote client specific overrides using MVC/API
unbound: rewrote general settings and ACL handling using MVC/API
unbound: add forward-tcp-upstream in advanced settings
unbound: move unbound-blocklists.conf to configuration location
unbound: add database import/export functions for when DuckDB version changes on upgrades
unbound: add cache-max-negative-ttl setting (contributed by hp197)
backend: minor regression in deeper nested command structures in configd
mvc: fill missing keys when sorting in searchRecordsetBase()
mvc: properly support multi clause search phrases
mvc: allow legacy services to hook into ApiMutableServiceController
mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng
mvc: add generic static record definition for ArrayField
ui: introduce collapsible table headers for MVC forms
plugins: os-acme-client 3.18 [3]
plugins: os-dnscrypt-proxy 1.14 [4]
plugins: os-dyndns removed due to unmaintained code base
plugins: os-frr 1.34 [5]
plugins: os-telegraf 1.12.8 [6]
plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL
plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL
src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode
src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled
src: ipsec: add PMTUD support
src: FreeBSD 13.2-RELEASE [7]
ports: krb 1.21.1 [8]
ports: nss 3.91 [9]
ports: php 8.2.8 [10]
ports: py-duckdb 0.8.1
ports: py-vici 5.9.11
ports: sudo 1.9.14p2 [11]
ports: suricata now enables Netmap V14 API
Migration notes, known issues and limitations:
The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups – especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.
Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility “monitor” still exists but is only provided for compatibility reasons with existing user scripts.
IPsec “tunnel settings” GUI is now deprecated and manual migration to the “connections” GUI is recommended. An appropriate EoL announcement will be made next year.
The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.
The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.
The public key for the 23.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu90d9OlhEEqfPTRC5tVp
# XK1KAtvzKPVf2jvmTtWgFRFCB3fuYQcO7oNefXJoK0LaHNQgiOsBTvepVMicl2aI
# zrehgdbljjNFmp6KzEM55x05zOfZV8Gi8AEaJzEbb3rkWLkiXHnANfhHGvtHOrGr
# Hct84NMCcfCZZerwaQMqi+SAjgUzA+asmhAvjN0fbdH2SLx/ZMNzDcyPRFGtGiC7
# RQCzgCGz39ppJP4qordzRSy5YiwCxNe/SL/4ZG04eMVti47BPTCtioBzuASHqALJ
# BVOFzZpr1WZ89PT/T5W6xYzoyWemOyv9Rh+rhaTAhnq+OO4yudaytpPCAtXBULr/
# VOlDOX//qaZR8qbQOC9y9kIETH8Iivis5tonBAQmYPIJiqcxfjM4/R7yP2Q7mEsr
# PLNyP6HNe77JGoW1axNZlB/OL1XUI3r+Kksc2woIqTQ5sq95tHbddNqGIDg4cEOX
# FM5Y7tdvVEwl/nutaAzP07sqEyF8uNScLGsQwpBxHwV/qGGc+PbGqmbmWg3+Kt+e
# UeNcMvrgayhRt+lpVCAorVVjUTp0Y2+1x+V/IpukOaS2oldPIF0iXLZsQ90KYP3X
# QtmuxbiC2Em+eGHB6nSg1UZgUEaAb3xP1fpuLbi9McoUPxMXxVdfihSfSfUFXJTH
# SmqdO1BdG7VSwiQq9Ekbu5UCAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
# SHA256 (OPNsense-23.7.r1-dvd-amd64.iso.bz2) = ffc2fe24b16bf45b84223ccf78780e94715e695d6ef50bbb041dc1697dcd7862
# SHA256 (OPNsense-23.7.r1-nano-amd64.img.bz2) = d2e3de7d7919b0aaafe80c92ec944b94ebb005220e46ed71d8f816236bf4feab
# SHA256 (OPNsense-23.7.r1-serial-amd64.img.bz2) = 61b594799c1ab9c2daab9adcff93793bf54f875067a7ddec070ade1d67db3689
# SHA256 (OPNsense-23.7.r1-vga-amd64.img.bz2) = 5e90b9fd076a206409474d3667ee11439ecb86f44dbcb1bc339e96b5a83c5a28